The question of accountability under national law for the wrongs committed by international companies has been debated and litigated for many years in many different courts and across many different countries. Often these disputes involve defamation or data protection, sometimes contracts or even crimes.
But the judicial conclusion is almost always the same. Online actors cannot hide behind the location of their headquarters once they go out into the big wide world to reach a global clientele. The rationale is simple: you have to take the rough with the smooth. If you get the benefit of a foreign market, you also ought to comply with the laws of that market.
This means that Google’s attempt to persuade the High Court in London to throw out a privacy claim brought against it by British internet users is bound to be doomed.
The civil claim for damages has been brought as a test case by a group known as Safari Users Against Google’s Secret Tracking. It alleges that Google breached the privacy of millions of users by bypassing the security settings on web browser Safari, installing cookies and collecting information on their browsing habits between summer 2011 and spring 2012, without their informed consent. This was in order to target them with personalised adverts based on their browsing data, a practice that is very profitable for Google.
The group says Google committed a “breach of confidence” of their users in doing this as well as a breach of UK/European data protection rules. Google in turn argues that the case should not be heard by the High Court in London because it is not subject to the British justice system. Instead, the claim should be heard in California where the company is headquartered.
On the face of it, the issue is procedural and hinges on the question of whether the English court has the right to hear and determine a claim against the foreign defendant in this case.
The answer depends on technical questions about whether Google is “domiciled” in a member state that is subject to the EC Regulation on Jurisdiction, Recognition and Enforcement of Judgement in Civil and Commercial Matters. If not, it depends on whether English law permits the service of a claim form based on Google’s “presence” in England and, if so, whether an English court is a “convenient” place to hear the claim.
The general upshot of all these technical legal tests is a practical focus on where the harmful conduct has occurred. If that harm has occurred in England, which is no doubt the case here, then the High Court in London is very likely to allow the action by the Safari users to go ahead.
The internet in bits
Of course, this is about much more than legal technicalities. Big issues are at stake and the case is as much a test case for Google as it is for English Safari users and indeed all Google users in Europe. We have had many such test cases before but these global corporate players are not giving up.
When asked if online businesses and other actors, large or small, should be answerable to legal justice systems outside their home state, courts everywhere have insisted that yes, they should. Of course, Google has the resources to comply with the laws of all the countries in which it does business. For smaller companies, it’s a bit more problematic and they are forced to forgo the international commercial possibilities the internet opens up.
But if we insist that companies comply with English or European law, even big players will have to create different sites for their users from different states. By doing that we are going down the route of a territorially segmented internet. Do we want this?
On the other hand, the Google case also raises the substantive question as to which privacy and data protection standards are the appropriate ones. As beauty is in the eye of the beholder, so is the question of privacy. Legal standards vary between cultures and legal systems.
When Google argues that this privacy case should be heard in the US, it is not playing straight. It knows that the claim would very unlikely see the light of day in the US: a judge recently dismissed a comparable claim on the basis that users had not come to any harm even if they were tracked.
By all means let us engage with the question of whether cookies cause any real harm and whether perhaps we can find a substantive middle (mid-Atlantic) ground on the appropriate level of privacy/data protection. Yet let us not pretend that we can apply European law to global online activity without territorially segmenting cyberspace (which we cannot). Equally, let us not pretend that we can defer to the local home standards of global players (in this case California) without substantially undermining higher legal standards elsewhere (which we cannot either).